This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article.

Internal Controls in 2013

On Tuesday, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework. COSO was formed in 1985 by the AAA, AICPA, FEI, IIA, and IMA to provide thought leadership in three areas: enterprise risk management, internal controls, and fraud deterrence. The organization released its original internal controls framework in 1992. This week’s update is the first revision to that document, and it represents two and a half years of work by COSO and by PwC, which authored the new framework under the direction of the COSO board.

The COSO Framework is designed to be applied companywide, and it can help managers maintain controls over a wide swath of treasury and finance functions. “When people think of controls, they think of general ledgers and external financial reporting, but the Framework is intended to be applied broadly,” says David Landsittel, chairman of COSO. “We articulate three overall objectives that companies can apply controls to—reporting, compliance, and operations objectives—and there’s overlap between them. In the treasury function, certainly there needs to be control over hedging or trading. Depending on the nature of the organization, that might be an operational control, but it might have financial reporting implications as well.”

Across the three objectives, the COSO Framework presents five key components of internal controls: the control environment, risk assessment, control activities, information and communication, and monitoring activities. In the latest iteration of the Framework, the core objectives and components remain unchanged from the 1992 version, but this version adds a list of principles associated with each component. The idea is that an organization which abides by these principles can ensure that its internal controls infrastructure meets the standards of the Framework.

“In the updated version of the Framework, we articulate 17 principles that need to be addressed in order to conclude that the five components are present and functioning,” Landsittel says. “We believe that making the principles more explicit makes the document easier to apply because it’s easier to see what it takes to have an effective system.” (The principles are listed on page 2 of this article.)

In addition to clarifying internal control requirements by articulating these 17 principles, the revised Framework includes broadened operations and reporting objectives—for example, covering internal management reporting as well as external reporting, for both financial and nonfinancial data. It also provides an updated context that reflects the changes in the business environment over the past two decades, including changes in technology, changes in expectations around governance and compliance, and increased complexity in companies’ business models created by practices such as outsourcing.

Still, the controls remain principles-based rather than rules-based. “We think that one size doesn’t fit all, and what is an appropriate control activity for one organization differs from what might be appropriate for another,” Landsittel says. “We believe the Framework has universal applicability for all kinds of organizations, so we don’t get down to what specific control activity or procedure is appropriate in a particular instance. The use of judgment is emphasized throughout. The Framework is relevant to the treasury function, but it isn’t a straitjacket that treasury managers need to worry about.”

An organization that abides by the following 17 principles can conclude that the five key components of its internal controls structure are functioning effectively:

Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

These principles come from the updated COSO Internal Control—Integrated Framework. For more information about the current version of the COSO Framework, COSO has made a Q&A and Executive Summary available free of charge.

Treasury & Risk

Treasury & Risk is an online publication and robust website designed to meet the information needs of finance, treasury, and risk management professionals. Our editorial content, delivered through multiple interactive channels, mixes strategic insights from thought leaders with in-depth analysis of best practices, original research projects, and case studies with corporate innovators.